Computer intrusion detection through EWMA for autocorrelated and uncorrelated data

Nong Ye; Sean Vilbert; Qiang Chen

doi:10.1109/TR.2002.805796

Computer intrusion detection through EWMA for autocorrelated and uncorrelated data

Nong Ye, Sean Vilbert, Qiang Chen

Industrial, Systems and Operations Engineering

Research output: Contribution to journal › Article › peer-review

116 Scopus citations

Abstract

Reliability and quality of service from information systems has been threatened by cyber intrusions. To protect information systems from intrusions and thus assure reliability and quality of service, it is highly desirable to develop techniques that detect intrusions. Many intrusions manifest in anomalous changes in intensity of events occurring in information systems. In this study, we apply, test, and compare two EWMA techniques to detect anomalous changes in event intensity for intrusion detection: EWMA for autocorrelated data and EWMA for uncorrelated data. Different parameter settings and their effects on performance of these EWMA techniques are also investigated to provide guidelines for practical use of these techniques.

Original language	English (US)
Pages (from-to)	75-82
Number of pages	8
Journal	IEEE Transactions on Reliability
Volume	52
Issue number	1
DOIs	https://doi.org/10.1109/TR.2002.805796
State	Published - Mar 2003

Keywords

Anomaly detection
Computer audit data
Exponentially weighted moving average (EWMA)
Information assurance
Intrusion detection

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Electrical and Electronic Engineering

Access to Document

10.1109/TR.2002.805796

Cite this

@article{d79c747db7e7401cab4539d9ea347d59,

title = "Computer intrusion detection through EWMA for autocorrelated and uncorrelated data",

abstract = "Reliability and quality of service from information systems has been threatened by cyber intrusions. To protect information systems from intrusions and thus assure reliability and quality of service, it is highly desirable to develop techniques that detect intrusions. Many intrusions manifest in anomalous changes in intensity of events occurring in information systems. In this study, we apply, test, and compare two EWMA techniques to detect anomalous changes in event intensity for intrusion detection: EWMA for autocorrelated data and EWMA for uncorrelated data. Different parameter settings and their effects on performance of these EWMA techniques are also investigated to provide guidelines for practical use of these techniques.",

keywords = "Anomaly detection, Computer audit data, Exponentially weighted moving average (EWMA), Information assurance, Intrusion detection",

author = "Nong Ye and Sean Vilbert and Qiang Chen",

note = "Funding Information: Manuscript received July 3, 2000; revised May 15, 2001. This work was supported in part by the U.S. Defense Advanced Research Project Agency (DARPA)/Air Force Research Laboratory - Rome (AFRL-Rome) under Grant F30602-99-1-0506. Responsible Editor: J. H. Lambert. N. Ye is with the Information and Systems Assurance Laboratory, Arizona State University, Tempe, AZ 85287 USA (e-mail: NongYe@asu.edu). S. Vilbert and Q. Chen are with the Department of Industrial Engineering, Arizona State University, Tempe, AZ 85287 USA. Digital Object Identifier 10.1109/TR.2002.805796",

year = "2003",

month = mar,

doi = "10.1109/TR.2002.805796",

language = "English (US)",

volume = "52",

pages = "75--82",

journal = "IEEE Transactions on Reliability",

issn = "0018-9529",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "1",

}

TY - JOUR

T1 - Computer intrusion detection through EWMA for autocorrelated and uncorrelated data

AU - Ye, Nong

AU - Vilbert, Sean

AU - Chen, Qiang

N1 - Funding Information: Manuscript received July 3, 2000; revised May 15, 2001. This work was supported in part by the U.S. Defense Advanced Research Project Agency (DARPA)/Air Force Research Laboratory - Rome (AFRL-Rome) under Grant F30602-99-1-0506. Responsible Editor: J. H. Lambert. N. Ye is with the Information and Systems Assurance Laboratory, Arizona State University, Tempe, AZ 85287 USA (e-mail: NongYe@asu.edu). S. Vilbert and Q. Chen are with the Department of Industrial Engineering, Arizona State University, Tempe, AZ 85287 USA. Digital Object Identifier 10.1109/TR.2002.805796

PY - 2003/3

Y1 - 2003/3

N2 - Reliability and quality of service from information systems has been threatened by cyber intrusions. To protect information systems from intrusions and thus assure reliability and quality of service, it is highly desirable to develop techniques that detect intrusions. Many intrusions manifest in anomalous changes in intensity of events occurring in information systems. In this study, we apply, test, and compare two EWMA techniques to detect anomalous changes in event intensity for intrusion detection: EWMA for autocorrelated data and EWMA for uncorrelated data. Different parameter settings and their effects on performance of these EWMA techniques are also investigated to provide guidelines for practical use of these techniques.

AB - Reliability and quality of service from information systems has been threatened by cyber intrusions. To protect information systems from intrusions and thus assure reliability and quality of service, it is highly desirable to develop techniques that detect intrusions. Many intrusions manifest in anomalous changes in intensity of events occurring in information systems. In this study, we apply, test, and compare two EWMA techniques to detect anomalous changes in event intensity for intrusion detection: EWMA for autocorrelated data and EWMA for uncorrelated data. Different parameter settings and their effects on performance of these EWMA techniques are also investigated to provide guidelines for practical use of these techniques.

KW - Anomaly detection

KW - Computer audit data

KW - Exponentially weighted moving average (EWMA)

KW - Information assurance

KW - Intrusion detection

UR - http://www.scopus.com/inward/record.url?scp=0037333205&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0037333205&partnerID=8YFLogxK

U2 - 10.1109/TR.2002.805796

DO - 10.1109/TR.2002.805796

M3 - Article

AN - SCOPUS:0037333205

SN - 0018-9529

VL - 52

SP - 75

EP - 82

JO - IEEE Transactions on Reliability

JF - IEEE Transactions on Reliability

IS - 1

ER -

Computer intrusion detection through EWMA for autocorrelated and uncorrelated data

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this